Formula Injection by Chirag Savla
Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. The resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user-supplied addresses. Once injected, it affects application end-users that access the application exported spreadsheet files. Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Formula Injection by Chirag Savla
1.
2. • Formula Injection (or Spreadsheet Formula Injection) vulnerability
affects applications that export spreadsheet files which are dynamically
constructed from inadequately validated input data.
• Many modern web applications and frameworks offer spreadsheet
export functionality, allowing users to download data in a .csv or .xls file
suitable for handling in spreadsheet applications like Microsoft Excel
and OpenOffice Calc.
• Thus resulting spreadsheet’s cells often contain input from untrusted
sources such as survey responses, transaction details, and user-
supplied addresses. Once injected, it affects application end-users that
access the application exported spreadsheet files.
• Successful exploitation can lead to impacts such as client-sided
command injection, code execution or remote ex-filtration of contained
confidential data.
3. • When can some one exploit Formula / CSV Injection ?
Formula Injection can be exploited when the application has export to
excel functionality.
happens on spreadsheet files which are dynamically constructed from
inadequately validated input data
• What can be done using Formula / CSV Injection ?
Successful execution can help attacker to carry out client-sided
command inject, remote code execution or can download some
malware on the system.
4. • What are the payload used to test / exploit Formula / CSV
Injection ?
Any excel formula can be used to test formula injection.
Eg:- =sum(10+10)
• What else can be used to exploit Formula / CSV Injection ?
1) Macros
2) PowerShell
5. • Different ways of writing formula in excel
We can write formula in excel starting with
1) =
2) +
3) -
4) @
6. • Making the Payload a Success on different platforms (Advance
Payload)
The formula injection flaw occurs due to the concept of Dynamic Data
Exchange (DDE). DDE is a protocol for interprocess communication
under Windows supported by Microsoft Excel, LibreOffice and
Apache OpenOffice.
In Libreoffice and Apache Openoffice, it can be invoked using
the following formula: =DDE(server; file; item; mode)
Example: this one launches calc.exe
=DDE("cmd";"/C calc";"__DdeLink_60_870516294")
In Microsoft Excel it can be invoked using:
=cmd|'/C calc.exe'!Z0
7.
8. • Preventing formula injection is the concern for every application
that generates spreadsheets comprising user-supplied content.
• At present, the best defence strategy is prefixing cells that start
with ‘=’ and ‘+’ with an apostrophe or a Space. This will ensure
that the cell isn’t interpreted as a formula.
• As an added advantage Microsoft Excel the apostrophe itself will
not be displayed.
• HTMLEncoding for special characters can be used as prevention.
• Input validation for = or + characters can be put in place on client
and server side.